We continue to see clients hit with notifications from vendors about security incidents caused by either the vendor or the vendor’s downstream supply chain. Often, the client didn’t even know that its vendor was outsourcing part or all of the work to another vendor. When a security incident occurs down the line, the entity that experienced the security incident or data breach usually has contractual obligations to tell its customer, and its customer then has the contractual obligation to tell its customer, and on and on up the line. If you are at the end of the line, all of the supply chain vendors are saying that their only obligation is to notify you, and you must notify any affected individuals and the regulatory authorities.
Managing the supply chain is challenging but necessary in today’s world of sophisticated cyber-attacks. In our experience, there is no one size that fits all when it comes to contract management. But no matter what size or how complex your organization is, a supply chain and vendor security and contract management program is essential to reduce risk of downstream incidents.
We hear the term “vendor management” all the time when discussing how to address downstream risk. Vendor management is one aspect of the supply chain risk analysis. Yes, it is important to assess which of your vendors have access to your high risk data, and once you determine that, to review their security posture and then incorporate security requirements into the contract. But it is also important to know who your vendors are doing business with and how those businesses are treating your data.
I submit that during the assessment of the vendor you find out who their key subcontractors or partners are, whether they are doing appropriate due diligence on their subcontractors’ security posture, and whether they are requiring drop-down provisions that the vendor has agreed to with the entire supply chain down the line. Some clients are requiring vendors to provide proof that the vendor has done a security questionnaire or other due diligence efforts on their vendors so the entire supply chain is secure. Other clients are requiring vendors to request permission before allowing any subcontractor to have access to data. And still others are flat out refusing to allow any vendor to subcontract any portion of the contract to another vendor at all. There are many strategies, and finding the one that works for you is key.
All of these strategies are challenging and difficult when it comes to finalizing a contract and getting work started. Your business partners may be frustrated by the due diligence and the contract negotiations. Nonetheless, the up-front due diligence may prevent a notification from a vendor about a security incident caused by someone else down the supply chain that you didn’t even know existed or had access to your data. Those clients who have had that experience are spending more time up front in evaluating the security of the entire supply chain and managing the contract negotiations to address this issue.